One year ago, Edward Snowden [4] released data revealing that the U.S. National Security Agency [5] had spied on the Indian embassy in Washington and its mission to the United Nations. The NSA has been conducting mass surveillance and collecting data worldwide and India was the fifth most-tracked country; 6.3 billion [6] pieces of intelligence were gathered from India.

India’s mild response, especially when compared to other emerging powers such as Brazil, was domestically seen as a reflection of India’s own aspirations in the world of surveillance—after all didn’t India wish it had the same capabilities?

India faces internal and external security challenges. Bits and pieces of information reported in the media suggest India has been upping its surveillance game, but there is no clarity whatsoever on privacy or protection from abusive misuse of information by security agencies, already prone to religious or ethnic profiling, arbitrary arrests, and custodial torture.

In April 2013, the previous government started rolling out an ambitious Central Monitoring System [7] to enable government interception of all phone and Internet communications in the country, bypassing service providers. While this will be a more centralized system of surveillance once it’s fully in place, the government is already doing much of this in a decentralized manner [8].

The government also directed telecom companies to include callers’ user location data [9] as part of their call data records. This means that the government will have easier access to this information for everyone who has a cell phone in India. The license agreement [10] mandates that location data should be part of call data records within three years, but until then the companies will be required to provide the authorities with this information for targeted users. Cellular operators say they have pushed back for now, but have to comply with providing information on targeted users. The government also requires the companies to store call data records for at least a year as per the agreement raising further questions on protection of data [11], who has access to it and how it will be used.

There is little information on the current technical capabilities of the Central Monitoring System, but the government has not publicly rebutted allegations of broad surveillance powers in the media or by rights groups worried about its chilling effects on free expression. This opacity is exacerbated as there is no single agency authorized to conduct surveillance, make requests for blocking content, or seek user data. According to some reports, nine agencies [12] are empowered to conduct interception and Internet companies receive requests from multiple agencies.

India does not have a privacy law which could possibly protect against arbitrary or mass intrusions on privacy. In 2012, an expert group [13] chaired by a retired judge laid down nine principles for an Indian privacy law and said that the law should also establish an enforcement mechanism to ensure compliance. India has just voted in a new government and this should be one of its priorities.

India’s poor record protecting free expression on the Internet raises further concerns about these mass surveillance programs. In recent years, authorities have repeatedly used the Information Technology Act to arrest people for posting comments on social media that are critical of the government or particular politicians, put pressure on websites such as Facebook [14]FB +0.74% [15] and Google [16]GOOGL -0.14% [17] to filter or block content, and impose liability on private intermediaries to filter and remove content from users.

Data localization could require global Internet companies to set up servers within the country and store Indian data there. Mass surveillance by the U.S. is unjustified and countries have legitimate concerns about the U.S. having access to data that might compromise their security and the privacy of their citizens. But in the absence of a privacy law, strong data protection mechanisms, and an environment that promotes free speech on the Internet, data localization demands in India have raised concerns among both industry and free speech advocates.

Data localization wouldn’t be effective at protecting Indian data from U.S. spying. Nothing in Snowden’s revelations suggests that NSA spying is bound by national borders. Besides, any communication between someone in India and someone in the United States would be accessible by the NSA. Experts also argue that data localization would fragment the Internet, undermining its value as a unified global network.

The Indian government has legitimate national security, and law-and-order concerns. However the new government should acknowledge that security should not come at the cost of privacy and basic human rights. In fact, security threats could be better dealt with through a targeted surveillance program in line with international human-rights standards.

To protect privacy and free expression rights, India’s new government needs to make the system more transparent and build in robust, independent oversight mechanisms.

As a first step, the Parliament should conduct a full review to ensure current surveillance practices are lawful. Government requests for user communications or interception should require a court order and be subject to judicial oversight. The Parliament should also provide another check on abuses by periodically reviewing the necessity and proportionality of surveillance programs.

The new government has promised “minimum government, maximum governance.” It can and should start by protecting civil liberties and increasing accountability for the agencies surveilling and intercepting information.

Jayshree Bajoria is a researcher at Human Rights Watch. You can follow her on twitter @jayshreebajoria [20].